CCATP_2024_12_29
Bart Bouchotts explores cybersecurity careers with Irish students, addressing critical shortages, myth-busting, and the importance of compliance and collaboration in enhancing security practices.
Automatic Shownotes
Chapters
0:14
Introduction to Cybersecurity
1:19
Engaging with College Students
4:09
Career Insights in Cybersecurity
6:25
The Role of a Cybersecurity Specialist
7:48
Understanding Security Operations Centers
9:17
Incident Response and Monitoring
12:29
The Importance of Checks
16:29
Maintaining Cybersecurity Standards
26:43
Characteristics of a Cybersecurity Specialist
32:34
Risk Analysis and Financial Decisions
35:04
Conclusion and Reflections
Long Summary
In this episode, I chat with Bart Bouchotts, where we delve into the intricacies of a cybersecurity career through his recent experiences speaking with secondary school students in Ireland. Bart shares valuable insights about guiding these young minds as they ponder their future career paths, particularly in the field of cybersecurity—a sector crucial for our increasingly digital world.
We kick off the discussion with Bart describing his interaction with 15-year-olds who are just beginning to explore their interests in information technology. He highlights the unique structure of their education, where students have the opportunity to engage in work placements to gain real-world experience before making significant decisions about their studies. This proactive approach enables these students to gain firsthand insights into the realities and demands of IT professions as they prepare for their futures.
Bart emphasizes the critical need for cybersecurity specialists, especially given the alarming shortage in the field. He provides a candid look into his responsibilities, breaking down his weekly tasks into simple segments, contrasting the common stereotypes about working in cybersecurity with the actual nuances of the role. Many assume it's just about battling hackers on black screens, but Bart clarifies that his job encompasses preventative measures, monitoring systems, and responding to alerts—much of which is facilitated through cutting-edge security operations that are often outsourced.
Our conversation deepens as Bart explains the importance of understanding normal system behavior to identify abnormal activity effectively. He shares how monitoring and checks form a routine part of his work, making it essential to know what constitutes the 'norm' before identifying anomalies. Bart elaborates on the powerful changes in tools and processes that help mitigate cybersecurity risks, particularly highlighting the implementation of multi-factor authentication—an innovation he considers a game-changer in protecting against data breaches.
The talk also covers the regulatory landscape in which Bart operates, stressing the necessity for compliance with laws governing data protection and cybersecurity standards. He discusses the vital role audits and objective checks have in maintaining robust security practices. Bart's commentary on the cyclical nature of these processes—monitoring, checking, maintaining—illustrates the ongoing battle in the field against emerging threats.
Towards the end, we touch on the need for cybersecurity professionals to remain ever-evolving learners, continuously adapting to changing technologies and methodologies while engaging with colleagues across various departments. Bart underscores the importance of collaboration and fostering open communication within organizations to ensure that security considerations are embedded in every aspect of the business, which in turn enhances overall security posture.
In sharing these insights, we not only shed light on what it means to be a cybersecurity specialist but also inspire potential future professionals to consider a path in this dynamic and impactful field. Bart’s enthusiasm for his work is infectious, and our discussion serves as an important reminder of the critical role cybersecurity plays in our digital lives and the various ways we can contribute towards a secure future.
We kick off the discussion with Bart describing his interaction with 15-year-olds who are just beginning to explore their interests in information technology. He highlights the unique structure of their education, where students have the opportunity to engage in work placements to gain real-world experience before making significant decisions about their studies. This proactive approach enables these students to gain firsthand insights into the realities and demands of IT professions as they prepare for their futures.
Bart emphasizes the critical need for cybersecurity specialists, especially given the alarming shortage in the field. He provides a candid look into his responsibilities, breaking down his weekly tasks into simple segments, contrasting the common stereotypes about working in cybersecurity with the actual nuances of the role. Many assume it's just about battling hackers on black screens, but Bart clarifies that his job encompasses preventative measures, monitoring systems, and responding to alerts—much of which is facilitated through cutting-edge security operations that are often outsourced.
Our conversation deepens as Bart explains the importance of understanding normal system behavior to identify abnormal activity effectively. He shares how monitoring and checks form a routine part of his work, making it essential to know what constitutes the 'norm' before identifying anomalies. Bart elaborates on the powerful changes in tools and processes that help mitigate cybersecurity risks, particularly highlighting the implementation of multi-factor authentication—an innovation he considers a game-changer in protecting against data breaches.
The talk also covers the regulatory landscape in which Bart operates, stressing the necessity for compliance with laws governing data protection and cybersecurity standards. He discusses the vital role audits and objective checks have in maintaining robust security practices. Bart's commentary on the cyclical nature of these processes—monitoring, checking, maintaining—illustrates the ongoing battle in the field against emerging threats.
Towards the end, we touch on the need for cybersecurity professionals to remain ever-evolving learners, continuously adapting to changing technologies and methodologies while engaging with colleagues across various departments. Bart underscores the importance of collaboration and fostering open communication within organizations to ensure that security considerations are embedded in every aspect of the business, which in turn enhances overall security posture.
In sharing these insights, we not only shed light on what it means to be a cybersecurity specialist but also inspire potential future professionals to consider a path in this dynamic and impactful field. Bart’s enthusiasm for his work is infectious, and our discussion serves as an important reminder of the critical role cybersecurity plays in our digital lives and the various ways we can contribute towards a secure future.
Brief Summary
In this episode, I chat with Bart Bouchotts about the dynamics of a cybersecurity career, focusing on his interactions with secondary school students in Ireland. We discuss the proactive educational approach that helps students explore IT careers and highlight the critical shortage of cybersecurity professionals. Bart dispels common myths, explaining that the role involves monitoring systems, implementing preventative measures, and understanding normal behaviors to detect anomalies.
We also cover the importance of compliance, audits, and continuous adaptation in the face of emerging threats. Bart emphasizes collaboration across departments to enhance overall security. His enthusiasm for cybersecurity aims to inspire future professionals in this essential field.
We also cover the importance of compliance, audits, and continuous adaptation in the face of emerging threats. Bart emphasizes collaboration across departments to enhance overall security. His enthusiasm for cybersecurity aims to inspire future professionals in this essential field.
Tags
Bart Bouchotts
cybersecurity career
secondary school students
Ireland
educational approach
IT careers
shortage
professionals
monitoring systems
compliance
audits
collaboration
future professionals
Transcript
[0:00]Music
[0:07]Well, it's that time of the week. Again, it's time for Chit Chat Across the
[0:14]
Introduction to Cybersecurity
[0:10]Pond. This is episode number 805 for December 29th, 2024. And I'm your host, Alison Sheridan. This week, our guest is Bart Bouchotts. We recorded this quite a bit ago to get it ready for today. So let's just dig right in. Well, hi, Bart. Welcome to the show. We're going to have a little bit of a different topic today. Is that right?
[0:30]We are, because while I am perfectly capable of stringing a sentence together today, I can't put multiple of them in the right order very well, because I had a little bit of, what are we calling it, a minor medical procedure yesterday. And I'm on painkillers I'm not used to.
[0:46]So there's painkillers you are used to?
[0:50]Not really, no. An aspirin, does that count?
[0:53]Okay, okay. Okay. Well, so Bart was going to do a programming by stealth, but we are definitely not in the realm of capabilities of that. And so I'm going to maybe do a little more directing of the conversation in case Bart wanders off here. But you had a recent opportunity to talk to some college students to try to give them an idea of what a cybersecurity specialist does. And it sounded like a really interesting topic for us to have as an audio recording,
[1:19]
Engaging with College Students
[1:18]which you can also point to. So if people are interested in pursuing this kind of career, what is it really like? What does it mean? Is that a good way of starting us out?
[1:27]It is. And so I guess for a little more context, so these students are halfway through their secondary education. So in Ireland, we break. So you have like the equivalent of your lowest school. And then at about age 12, you go into secondary school here. And halfway through you you have to make decisions you have to choose because you you do way more subjects for the first half than the second half and you have to choose what what do you throw away.
[1:51]So hang on so this is not university or college or whatever word you want to use it this is still what we would call high school
[1:58]Yes this is halfway through high school so age 15 ish.
[2:02]Oh okay so you're getting them young
[2:04]Right and so these students have the choice to take a year between the two halves. And in that year, they're physically in school, but they have no classes. They do project work, they do work experience. So they're encouraged to be a part of the community. And if they think they're interested in a line of anything, they have to find work placement for themselves with the help of their teacher who guides them as a mentor. And so we had a bunch of them with us in IT services. So they're all 15 year olds who think IT might be something they're interested in, but they have no real idea because they're 15. So they found a place who would take them in for a few weeks to give them an experience of the real world.
[2:48]Wow, that's really cool. We try to wait until somebody's, I don't know, you know, 22 years old, gets out of college with a degree in that subject, and then they find out they don't like it.
[2:57]Right, yeah. So, I mean, I think it's great. And so obviously the students are well motivated because they're here because they want to understand what it's really like, not just what it says in their textbook. And so a lot of us in the department volunteered to chime in. And I was asked if I could give, I think it was 45 minutes I was asked to have a conversation. And, you know, there was only a few of them. And the idea was a conversation, not a lecture. Now, I don't like to go into anything unprepared. You may have noticed that. So I prepared a slide deck, which was never intended to be presented as a lecture. It was only ever intended to be on in the background because our smallest meeting room is quite cozy, but it does have a very impressive television. And so you sort of put it on in the background and then we can look at it. And sometimes if we have to refresh our memory about something, we can look at it. But it's not guiding the conversation. It's just, you know, prompts.
[3:55]OK.
[3:56]And we just had a chat. And I remember while I was doing it thinking, I think, A, I'd like to talk to Alison about this. And B, there is a shortage of people in cybersecurity, and we're not going to need less of them.
[4:09]
Career Insights in Cybersecurity
[4:09]That's the one thing I'm certain of. And so if you are making decisions about your future, and you're looking for a career where you're not afraid it's going to disappear in a week because AI is going to take your job, you could do worse than getting into cybersecurity. And I also think it's hilarious that I have never in my entire life had a job that my mother understands. and cybersecurity specialist didn't help. Going from sysadmin to cybersecurity specialist didn't make that better because...
[4:40]Oh, you just need to be better at explaining it to her. She's smart.
[4:43]She is, but I'm also not entirely sure she's as motivated to care as the students I was talking to were. Do you enjoy it? Yes. Okay.
[4:54]Well, I liken to this when, you know, you ask a little kid, you know, what does mommy or daddy do? And the answers are often quite humorous, even though you've tried to explain it to them, right?
[5:05]Yeah, they wear a suit. Oh, yeah. In my case, I got so wrong. So my dad is an electrical engineer who worked in a factory making transformers. I liked cartoons. What do you think I think might or I thought my dad made? It was not boxes that change high voltage to low voltage. I can tell you that.
[5:24]Well, my dad was an engineer, and all my friends would always say, oh, he runs a train.
[5:28]No. A fire engine, silly.
[5:34]Right, right. We had Take Your Child to Work Day. And Kyle, my son, is one of the snottiest but funniest people I know. And after spending the day with me at work, he wrote in Spanish, because my daughter Lindsay had written in Spanish on my whiteboard the year before something quite nice. what he wrote in Spanish was, all my mother does is talk, talk, talk. And I asked him what he meant. And he said, well, you didn't make anything. And he thought I made things. And the more I thought about it, the more I realized he was right. As a manager of sysadmins, I didn't produce anything. And I said, well, I write emails and I make PowerPoint presentation goes, that's just talking with your fingers, mom. And I realized he was right. All I did was talk, talk, talk for like the last, I don't know, decade of my career.
[6:22]Yeah, but the thing is, when you talk the right way, things do get done.
[6:25]
The Role of a Cybersecurity Specialist
[6:26]Right, it just wasn't me. Well, anyway, so Bart, what does a cybersecurity specialist do?
[6:34]So I spent a long time trying to figure out how to summarize it, and I ended up writing it down as names of words with emojis. Because I sort of thought, okay, I come in in the morning on Monday, and then I leave on Friday. What do I do between those two things? And everyone assumes I spend all of my time looking at some sort of a green, a black screen with green text and fighting hackers. That's what everyone thinks a cybersecurity specialist does. So it is true that reacting to incidents is absolutely part of my job, right? There are things that go beep, and when they go beep, someone has to go and look at them. Most of the time, thank goodness, they go beep because nothing has actually gone wrong. Or it's because something's starting to go wrong. But if you get in there quick enough, you can stop it doing major damage. And a lot of systems are here to help us these days. So it's really interesting how the amount of damage done before something goes bing is so much less now than it was two years ago.
[7:37]Because you've been doing a good job setting things up then?
[7:41]Arguably, because one of the things I have been involved heavily with is pushing multi-factor authentication for everybody.
[7:48]
Understanding Security Operations Centers
[7:49]Everybody, everybody, everybody. And that has made the single biggest difference of anything that has changed in IT in the last decade. Just multi-factor.
[7:59]Let me interrupt you to tell people something that they might not know or to get you to tell them. I always thought, oh, isn't that cute? Bart works at this little tiny university in Ireland. I mean, how many users can he have? Like 150? How many people, if you count all of the students and all of the professors, how many people are we talking about?
[8:19]In terms of identities, i.e. accounts, you're talking approximately 30,000.
[8:26]That's as big as my global corporation I worked for, for Raytheon, was 30,000 people. That is insane.
[8:34]Yeah, because if you're a part-time student, you get a full account, right? There's no such thing as a half account. You have an account, or you don't have an account. If you give one lecture a month as a visiting lecturer, you have an account. You have an identity. You are here. you can be attacked right so everyone who's involved with the university has an identity so in terms of how many identities there are out there where we could be attacked by it's tens of thousands that's.
[9:00]Crazy that's crazy i was i'm really glad you told me that at one point because i was kind of like oh i mean i've seen the university it's not that big i mean it's physically no it's a good size but it's not it's not this monstrous facility you know
[9:17]
Incident Response and Monitoring
[9:13]Yeah i can walk from one end to the other quite comfortably and do quite often.
[9:18]Right, right. Okay, so you respond to possible incidents when things go beep.
[9:22]Yes. Now, here's where there's a really important point here, right? Because what's going beep, a lot of what's going beep is the thing people think I do is something almost everyone outsources because almost no one is big enough to do it themselves. It's a security operations center, a SOC. So there are people whose job it is, is to watch in real time what's going on and to respond. And that's really difficult and that like you would need at least three or four full-time people for an organization of our size and the skill level you need to continue to fine-tune the tools used in a security operations center is there are very skilled professionals so we couldn't afford that so that's outsourced so you buy security operations center as a service so So I can get malware as a service. You can get 24-7 eyes on your systems as a service.
[10:16]You said you're reacting to alerts and responding and monitoring, but it sounds like somebody else is doing that.
[10:24]What they're doing the 24-7 and they're doing, their expertise is filtering. It's like the world's biggest funnel. So every event that happens is an event, right? Someone's opened a file. Someone's logged in. Someone's sent an email. Someone's forwarded an email. Someone's replied to you. They're all events, millions of them. And they all go into the big end of the funnel. And then there's a whole bunch of AI that crunches through all that data and goes, well, that's weird. That's not normal.
[10:50]Looking for something out of pattern.
[10:53]Something out of pattern. Then there's a whole bunch of rules written by those very intelligent humans we outsource to. And they write patterns of known malware. It is known that this is an attack. It looks like this. It is known that this is an attack. And they update that many times a day. So that's chunking away at those millions. And that gets it down to thousands. And then those thousands go through more clever algorithms. And that gets it down to hundreds. And then the human beings, who are not us, look at those hundreds. And they filtered that down to three or four. And those three or four go bing for me.
[11:26]Oh, wow. Okay, okay. And I get why that would be much more efficient to have an outsourcing company do that because they're doing it for so many people. All right. Yes. Are we past the first bullet now? Next is monitor?
[11:41]Next is monitor. So one of the most important things to know is what is normal? That is, if you don't know what one of your systems is supposed to look like, the chances of you spotting the start of something bad is about zero.
[12:00]If you look at a dashboard and you can't say, normal, a little bit busy today, that's odd. If you can't say, oh, that's odd, something wrong. So a big part of my week is effectively like a physical security person patrols. I have a whole bunch of dashboards. And to make sure that it gets done consistently, there is a runbook I follow.
[12:29]
The Importance of Checks
[12:26]Literally, it's the weekly baseline security checks is the name of the runbook. And that is a list of tasks and there is a matching note, one note in fact every week a new page is started and the log is taken of the baseline checks, and every week we go through the steps and we record, yeah I did it and what was different, sometimes the answer is, no it all looks fine almost never do you find nothing, right, in theory, every single server automatically patches itself every 24 hours in theory in reality when you look at the dashboard you see that there is a server there with a patch level of minus five days so why are you five times worse than you should be what's going on here okay.
[13:13]So is part of that knowing what normal looks like like you now know what normal looks like so you can recognize abnormal yeah
[13:22]It's a simple question Like, okay, so there's, you're currently having 500 users log in every minute. Is that normal? Yes. You're currently having 5,000 log in attempts. Is that normal? No.
[13:35]Okay.
[13:35]What's going on here? Ah, brute force attack. Nowadays, it's almost always password reuse, so-called password stuffing. There has been another data breach. I'm sure there has. I don't even know which one it is. I promise you there has.
[13:47]It just happened.
[13:48]It just happened. Guarantee you, whenever you're listening to this, doesn't matter. It's true. Right. And they are taking those passwords and they are trying them. Okay. And so what you will see is a spike of failed logins. Or actually, no, what you will see is a spike of successful denied logins.
[14:07]Okay.
[14:08]Okay. Correct username, correct password, multi-factor failed. Correct username, correct password, multi-factor failed.
[14:15]Wow. Okay. And that's a success, but you'd still want to stop. But I'm going to stop here for a second. I have to be amazed when you talk about every server is patching itself every day. And if something's five days out, that's a catastrophe. I distinctly remember when my sysadmins asked me to beg our customers to let us upgrade Oracle once every three months. Beg our customers. And they said, no, not my systems. No, they're critical. They can't be offline for even a minute. I can't take the risk that it's going to change the software in any way, shape, or form.
[14:52]Yeah, so there's a couple of things going on here. One of them is good tooling. So modern Linux can change the kernel while the OS is running.
[15:02]Ooh.
[15:03]That is like changing your tire while you're driving up the highway. Yeah. It is astonishing technology. It's called hot patching. It's coming to Windows 2005, by the way. So Windows Server 2025 is going to be as powerful as Linux is now. So that's good news for all the Windows e-server people. But that means that you can apply those updates without rebooting. That means no downtime. And then the other thing is an enterprise. What's different about enterprise Linux versus desktop Linux? The answer is on enterprise Linux, the version number of everything is locked. So you will have Apache 2.0 for the entire lifetime of Red Hat Enterprise 8 or Red Hat Enterprise 9. And the only thing they will do is bug fixes and security updates. You will stay at that version of Apache with all of its behavior for the entire life of that version of Red Hat. And they will just make sure it's not insecure. And so those patches you're applying won't change something out from under you because they can't. That's an upgrade, not an update. So if your version of WordPress says, well, I need PHP 8 now. And that version of WordPress or that version of Red Hat came with PHP 7. You have to manually log in and go yum upgrade php 8 whatever and then you'll get those changes so that you won't get the breaking changes from auto updates
[16:29]
Maintaining Cybersecurity Standards
[16:25]on an enterprise product that's what makes an enterprise okay.
[16:29]Let's get back on topic here uh i've driven driven you off the road with your wheels changing while you're driving so we've done respond and monitor and then next is check.
[16:41]Check is really important. So you have to, by law, make all sorts of commitments to auditors, or there are commitments made for you, right? We work under regulations that say every public body must meet a minimum standard that is X. It's a bit like NIST. So in America, if you're a government contractor, you have to meet the NIST standard. Ireland has an equivalent of that for anyone who gets taxpayers' money. If we are giving the hard-earned money of the Irish taxpayer to you, you in response must do the bare minimum not to be hacked to be Jesus. That is a condition of getting that money. Okay. So you have to commit to certain patch levels. You have to commit to certain rules. And you are audited, which means it's not okay to say, oh, our policy is. That does not get you past an audit. They will say to you, okay, fine. Prove you get it.
[17:38]Prove. which means you have to check every assumption i assume everything is at a certain patch level is it better run a script that script had better write to a log file that log file better be dated and you better have the full history of that script going back if your processes you check weekly you better have weekly csv files right if you say we guarantee that every service does a certain thing. We have a firewall on every server. Well, log into every server, make sure it hasn't crashed. Has your firewall crashed? You'd be amazed how often actually the process can die. Firewall D can just die.
[18:20]You said you've got a script that runs that checks all this and then it writes out a CSV and you've got that. But are you then looking at that CSV and reading it or what do you have? What does the security specialist do with that?
[18:35]Okay, so for a start, you have to write a lot of those scripts, because none of these things are static. So you are making every year, an auditor's job is not to be your enemy. An auditor's job, your auditor is your best friend. This took me a while to comprehend that, because you think, oh, auditors, they're the baddies. But they're not. They're your complete friend.
[18:54]They're terrible.
[18:55]And if they're good auditors, they will end with, okay, you've passed. You said you did X and you did X. That's great. But if you did Y, you'd be more secure. So can you make us some new promises so that when we come back next year, we can audit you against those enhanced promises? Or the less friendly version of that is you have cyber insurance. And every year, they ratchet the screws a little bit because they're more and more afraid of how much money you could cost if something goes terribly, horribly wrong and the baddies aren't sitting still. So every year, the minimum standard for your premium not to go up goes up a little okay.
[19:35]So so you're running the scripts and you're writing the scripts are you looking at the results of the
[19:40]Scripts oh yes absolutely that is a big part of our processes weekly reviews of that sounds boring you would imagine it would be but it's usually where mysteries come from mysteries are okay.
[19:50]The puzzle part okay
[19:53]Yeah there's a lot of puzzling going on and a lot of the time like there is particular a university is a very open place right you grew You lived your career in an enterprise where IT had a lot more power than IT in a university do. Because in a corporation, the employee, okay, hypothetical, especially in a modern corporation, corporate IT can say to an employee, no, you'd like to go to PayPal.
[20:21]It was on the path to get there, Bart. It was on the path to get there. Much to the consternation of every employee, by the way.
[20:28]Okay. Well, in this day and age, if you worked in enterprise, it would just be no. These websites, no. Facebook, no.
[20:36]Yeah, it was getting there. Yeah. What's this got to do with the check?
[20:40]Ah, what it's got to do with the check is one of the least favorite words for every university IT person. Why you have to check. What those mysteries prove to be almost every time. The answer is almost always the same. So academics have academic freedom. They use that academic freedom for what we call shadow IT. They invent their own solutions to things yes and they very often do not do so in an even vaguely secure way yes, And we are responsible for the entire IT footprint of the university. It doesn't matter who stamped the footprint in the sand. It's still our problem. So a lot of the time when you check assumptions, you find there is an unknown unknown. It's like, what? What? What is this?
[21:30]It's interesting and kind of fun to solve the puzzle.
[21:33]Challenging, yeah. It's certainly one of the parts of the job that is the opposite of boring, right? You're saying, oh, yeah, just looking at outputs of scripts is boring. No, they almost always involve a mystery. The other thing that you will see is you get to know the shape of what the baddies are doing. You get to, I say, oh, try on that little trick again, are we? Oh, I've seen that before. At the moment, the classic one, right, the pattern I see all the time, you know, username and password, correct, multifactor authentication denied, location, India. Same thing, location, always Missouri for some reason. Same thing, location, Amsterdam. Okay, distributed. They're just trying on a few different proxies. They're trying to see if you're doing conditional access based on location. You recognize it straight away. You, you know, you force change the password because it's password reused. The baddies have the password. Sorry, user, you can't have that password anymore. You let it go. Gone now. That password is not allowed. Change it. Problem goes away. And so you recognize them. But then you get a pattern that you don't recognize. And then you're like, okay, something's gone wrong here. There is someone logged into this account who shouldn't be, and they didn't get in through any of the ways I've seen before. How? How did they get here? Step one, lock it down, kick them out. Great. Step two, how? There was a door somewhere that a horse bolted through. You haven't closed it yet.
[23:01]Oh, okay.
[23:02]Right. How?
[23:04]You got that horse out, but.
[23:07]Right. What do I do to stop that happening again? And if you can't answer, okay, great. An account was compromised. You figured out what the baddies got. You locked it down. You detected whether or not there was a data breach. You've done all of your homework. Your manager isn't happy yet because your manager's next question is, and so how are we going to stop that happening to the president's account? What happened? What went wrong here? And then you are into the audit logs. And then you realize just how much logging there exists in the universe and then your skills at data manipulation your skills at languages like kql the cluster query language for, breaking down into the logs really come into it and you will discover a new technique that's new to you the chances are it'll then become really common because the baddies copy from each other all the time and it will be a new normal and it will become your new best friend and you will tweak some knobs and you will tweak some things and you will start to see and we block that one and we block that one.
[24:03]I've had my hand up for a long time so this is going to sound like I just came out of nowhere on this but back when you're talking about the typical things where you find something interesting that you didn't expect to see. I remember our IT security finding somebody who had a rogue Wi-Fi access point and it turned out to be the physical security people which was comedically enjoyable yeah anyway that
[24:30]Is not okay so that is not unheard.
[24:32]Of are we ready for maintain i
[24:34]Think so yeah so yeah absolutely so, You can be every, if you have defenses in place for every attack you know about, you may think, oh, we're done here. But you're not. Because like I said, when you're doing your check and your measure, you're going to find new things that didn't exist yesterday. New vulnerabilities that didn't exist yesterday. So the defenses you have, it's like a car. You can't just set it up and then drive for infinity.
[25:02]So this is changing the oil.
[25:04]Yeah you have to keep everything running at its best because what it means to be running at its best is always changing a little it's not sometimes it changes really quickly but most of the time it's evolving but if you don't keep up with it it is not long until your amazing defenses are awful so you are constantly tweaking and tuning and the check feeds into the maintain a lot because that's going to tell you where things aren't going great and then you've got to ask yourself okay well what dial can I twiddle, right? What can I do to address this measured shortcoming, right? I have a fact here that this is where we are not good. How do I make us improve that fact? Maybe it's buy a new product. Usually, though, it is change a policy, some sort of a policy somewhere. That then involves change control and a lot of negotiation because maybe that policy is a balance if not maybe almost certainly that policy is a balance between a risk and a reward it makes something we like easier or possible at all but it also makes something we don't like easier or possible and you may have to rebalance and then you're into change control and you're into putting your diplomatic hat on, I have to wear my diplomatic hat a lot.
[26:23]I think that. Yeah, I'm starting to think a third slide you could present someday is what are the characteristics of my personality that make this a good fit for me, right? That's another vector to the same thing is because you like a puzzle,
[26:43]
Characteristics of a Cybersecurity Specialist
[26:40]because you like writing scripts to solve problems. What are those things about you? We don't have time for that today, unfortunately, but I think that's a whole other part of it. Because that would speak to the students, too, to say, you know, am I that kind of person? Right.
[26:54]Yeah, that's a really good point. The other very much related thing is you always, always have to be learning. So you can't ever assume that you know everything because you can't, because by tomorrow there's something new. And so you're always curious. You're always keeping your ear to the ground. You are reading the news sites. You are getting information from wherever you can to know about what the trends are, what's new in terms of risks, what's new in terms of technologies. You're just learning.
[27:18]That's the easiest one for you, right?
[27:19]Yeah, naturally curious is definitely a good quality, personality feature. The other thing is you are always enhancing. Like security, perfect security is plug everything out, encase it in concrete and throw it in the river. That's perfect security. Anything less than that is imperfect. There is always room for improvement. You are always finding ways to enhance security. And because of the concept like academic freedom, engagement is spectacularly important. So engagement for me is with my colleagues in IT services, with my colleagues in other departments who have technical people, with the university staff as a whole, with the university staff, students and admins, with my opposite numbers in other universities, with the Irish national bodies like the National Cybersecurity Center, those kind of people.
[28:12]And with corporations we have vendors those vendors know things those vendors the things they know maybe i need to know i spend a lot of time and the other way around too by the way things i know that our vendors should know as well right it's an engagement is very much two-way right what what should they expect from us what like what may be totally normal for another client if that happens from us that's a sign we have a really big problem so if we don't engage with the vendor all they can do is say we'll assume those people are like all the other people but if we can tell them well actually no we only use your service for this specific subset of features if we ever try to use one of these features it's not us you should have an alert on that or a firewall blocking that or whatever so you're you're always engaging and they're going to tell you we've had five clients who've had this horrible thing happen if you don't want you to be number six you should do this, right? So you have to have that channel of communication. And then the other thing is you must be approachable. Because what you really, really, really, really, really want is that people are not afraid to say, hey, we're thinking of doing.
[29:24]Anything we should think about? Yeah. And you want that before vast amounts of money are spent, before everyone has finalized the design, before resources are being committed. Right, yeah, hearts, resources set on it, right? If you, the earlier people feel comfortable asking for your advice, the better off you'll be. And you can't force that on people. That is about being open and friendly. And above all you come into the conversation with the question and i always think of you what's the problem to be solved and i use those words every single time because, my if they think that i'm there to say no instead of okay we can solve that you want to get you want to solve your problem x way you should solve it y way but we will solve your problem that's a much easier conversation to have. Solve your problem different versus, oh no, oh no, no, no, no, right? You're not welcome back a second time if your answer is just no.
[30:30]I was going to say, they invite Bart to the party because if you ask that question, right? He's like, no, let's figure out how we can solve this. But let me make sure I understand the problem first before I give you a solution.
[30:39]I never go into a meeting, I never say anything for at least the first half of the first meeting, other than questions. So I am a sponge of information for the first half of the meeting. And only then do I speak. And that way I get invited back because they're not like, oh, he's not here to tell us what to do. He's here to help. And yeah, you have to take that approach.
[31:06]Yeah, I can imagine that works a lot better.
[31:12]And that works.
[31:14]That's good to know.
[31:16]I'm not sure it works all the time. I don't know what I'm not invited to, but I do know I'm invited to a lot of things.
[31:23]That's good. That's good. That's really, really interesting, Bart. I like this approach of looking through each one of these pieces. When I looked at this list, I wondered about one other thing. In my experience, and again, totally different kind of company, a long time ago, So, and hopefully it's gotten a little bit better. There was always a point where there was a risk analysis and a, and the way the risk analysis worked in our company anyway, was you look at what's the bad thing that could happen. And the other axis was what's the probability that it will happen. So, you know, lose all of our money, but it's a 0.001% chance that would happen or, you this incredibly important security thing, but what's the probability of that? And then it was usually taken out of the hands of the security people because somebody was going to make a financial decision. And it was often the security specialist's job would be to try to convince them that this is a bad enough threat that I think it's worth spending the money,
[32:34]
Risk Analysis and Financial Decisions
[32:32]even though this is going to be a bunch of money to fix this problem. Do you ever get involved in that part of the process? Yeah.
[32:39]Tangentially because so then the last word of your job title has very meaningful in the public sector in ireland so if you're a specialist it means you are technical not managerial then the next level up from a specialist is a manager then a head and then a chief dot dot dot, And so the money decisions rest at the head and chief level, and the manager's job is to argue with the heads and the chiefs, and the specialist's job is to provide the facts for the manager to be able to have the conversation. So I have to provide the facts.
[33:21]You have to give those two axes, though. You have to give those facts of, what do I think the chances this could happen? Yes. And what is it going to cost? Or, you know, what is the effort that needs to go into to resolve or keep this from happening?
[33:36]Absolutely. And I don't only get to say what the risk is. I have to be able to say why I say that. I can't just say, oh, that's a 50-50 chance. I'm afraid I've got to back it up a little bit and actually justify that number. So I've got to justify the risk and I've got to justify the potential damage. And a lot of the times it kind of comes about of saying well okay this has happened five times in the last year each time it had this effect there is a product available which costs this amount that is an order of magnitude less and it would make this not happen again those kind of things and the facts are based on well okay so the measure all right that measure and check measure and check measure and check that is the input to those conversations and they happen obviously above my pay grade yeah.
[34:26]I think i where i was i was more in the uh fighting about the money part and i was getting the facts from people who at that time were not uh officially cyber security specialists because i don't even think the title had been invented yet i'm so old my stories will be like talking about a spinning wheel you know
[34:46]But i'm kind of like I'm like a security sysadmin, right? So like a sysadmin is a specialist of Surfery stuff, whereas I'm a specialist of the cybersecurity stuff. And so in the same way that a sysadmin probably isn't going straight to the people with the purses, the cybersecurity specialist isn't going straight to the budget holders.
[35:04]
Conclusion and Reflections
[35:04]Right, right. Well, I think this is really cool that you did this for us, but even more to do it for young people to understand what's out there. And I think that's a pretty nifty system that you had the opportunity to do this. So thanks for coming on the show and doing this. You sounded perfectly lucid to me, sentence to sentence, Bart. I think you're fine. Maybe not programming by stealth, fine, but definitely for this.
[35:27]No, I got to weave a whole thing together, fine for that one. I did actually try to have the conversation explaining submodules to my darling beloved, and it didn't go well. If I can explain it to my darling beloved, I can't explain it to the audience, trust me.
[35:42]That's for sure, that's for sure. All right, well, I think your security bits sign-off might be the right one to go with.
[35:50]I think you're probably right. Until next time, remember to stay patched so you stay secure.
[35:55]I hope you enjoyed this episode of Chit Chat Across the Pond. Did you notice there weren't any ads in the show? That's because this show is not ad supported. It's supported by you. If you learned something or maybe you were just entertained, consider contributing to the PodFeed podcast. You can do that by going over to PodFeed.com and look for the big red button that says support the show. When you click that button, you're going to find different ways to contribute. You can donate one time through the big donate button with a a credit card or Apple Pay, or you can use PayPal. If you want to make a recurring contribution, click the Patreon button. Keep in mind, I don't charge Patreon for Chitchat Across the Pond or programed by stealth episodes just once a month for the Nocilicast. That keeps it simple. If you want to contact me for any reason, you can email me at alisonandpodfeed.com, and you can follow me on Mastodon at podfeed.com slash Mastodon.
[36:46]Music